Zero Day Alert: Unpatched Vulnerability in Internet Explorer 8

Researchers at HP’s Zero Day Initiative (ZDI) have just disclosed an unpatched vulnerability in Internet Explorer 8. This vulnerability allows attackers to install malware on your computer, should you click on a malicious link or open a malicious email attachment. Such malware can then allow direct access to your files. Because HP has opted for public disclosure prior to Microsoft issuing a patch, this zero day is now known to both IE 8 users and would be attackers alike.

How to ensure protection from this threat

Microsoft has yet to issue a statement or a patch regarding this latest zero day. If you are running Internet Explorer 8, you are therefore vulnerable. Fortunately, this exploit hinges on user interaction; so, to avoid infection simply follow best web practices, and avoid clicking on any mysterious links or opening any unsolicited attachments.

Researchers at HP have recommended that users running IE 8 should also consider downloading Microsoft’s Enhanced Mitigation Experience Toolkit, the generic go-to repair tool for most Microsoft vulnerabilities. Additionally, we at Emsisoft recommend considering migration to a new web browser entirely, as this is the second IE zero day that has occurred in the last month alone. (See CVE-2014-1776, from late April.)

More Zero Day Details

According to HP ZDI’s disclosure timeline, Microsoft has actually known about this vulnerability since October 11th of last year, when researchers initially notified the company of the flaw. HP ZDI’s standard practice is to give vendors 180 days to issue a patch before making public disclosure. Accordingly, HP could have made disclosure as early as April 9th, 2014, but opted instead to give Microsoft more than a month long grace period. To date, the vendor has still not issued a patch.

Public disclosure will inevitably mean that until a patch comes, attackers will be leveraging the IE 8 zero day as a path to malware infection and remote access to infected machines; and, unless Microsoft issues an out-of-band patch, as they did with last month’s IE zero day, that patch will not come until June 10th, next month’s Patch Tuesday.

Perhaps most alarming of all, however, is that IE 8 runs on Windows XP. This means that today’s zero day will remain unpatched on the now-unsupported operating system until the end of time. In other words: If you are running this combination, your system now contains an open, publicly known, door.